#!/bin/bash

# ----------------------------------------------------------------------
# Filename:   75677-ausearch-k.sh
# Version:    1.0
# Date:       2013/12/12
# Author:     yuanhui.shi
# Email:      yuanhui.shi@cs2c.com.cn
# Summary:    03系统安全功能-02审计功能-01auditctl-07w选项k选项p选项使用
# Notes:      ausearch -k
# Copyright:  China Standard Software Co., Ltd.
# History：     
#             Version 1.0, 2013/12/12
#             -   The first one
# ----------------------------------------------------------------------

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH

source ../../../lib/Echo.sh
source ./lib/cmd.sh
source ../../../lib/XmlParse.sh
source ./lib/Ssh.sh

function CleanData ()
{
  auditctl -W /etc/passwd -k password-file -p war
  if [ $VAR == 0 ];then
     stop_daemon auditd
  else
     restart_daemon auditd
   fi
  rm -rf /tmp/tmp1
  userdel -r user1
  EchoInfo "75677-ausearch-k.sh执行完毕"
}

trap "CleanData" EXIT


command -v systemctl &&  /bin/systemctl status auditd >/tmp/tmp1 || service auditd status >/tmp/tmp1


if [ -z "`cat /tmp/tmp1 |grep pid`" ];then
   VAR=0
   start_daemon auditd
else
   VAR=1
   restart_daemon auditd
fi

auditctl -D &>/dev/null
[ -z "`auditctl -l |grep LIST_RULES`" ]
EchoResult "目前系统规则被清空"

echo "" >/var/log/audit/audit.log
Adduser user1 qwer1234
[ -z "`ausearch -k password-file`" ]
EchoResult "当没有审计规则时，匹配关键字的事件不被记录"


auditctl -w /etc/passwd  -p war -k password-file
[ -n "`auditctl -l |grep LIST_RULES`" ]
EchoResult "成功添加审计规则"

echo "" >/var/log/audit/audit.log
Adduser user1 qwer1234
[ -n "`ausearch -k password-file`" ]
EchoResult "匹配关键字的事件显示在终端"

